Re: SquirrelMail Cross Scripting Attacks....

To: Alvin Alex <alvin_gboy@xxxxxxxxxxx>
Subject: Re: SquirrelMail Cross Scripting Attacks....
From: Jonathan Angliss <jon@xxxxxxxxxxxxxxxx>
Date: Fri, 30 Apr 2004 15:22:47 -0500
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20040429210906.31136.qmail@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20040429210906.31136.qmail@xxxxxxxxxxxxxxxxxxxxx>

Hello Alvin,
On Thursday, April 29, 2004, Alvin Alex wrote...

> SquirrelMail latest version (although is tested on version 1.4.2) is
> prone to many cross scripting attacks that can be used to steal user
> cookies.

[..]

> Squirrel Mail Coders have been informed of this vulnerability but
> the vulnerability still exists in their latest version.

PLEASE in future notify us before posting bug reports so we can ensure
a fix is in place... The 1.4.3 release which will be out shortly will
fix this issue, along with a number of other XSS issues. While we had
been notified of the issue, we were holding off on announcing the
issue until a fix was in place.

-- 
Jonathan Angliss
(jon@xxxxxxxxxxxxxxxx)

References:
- SquirrelMail Cross Scripting Attacks....
  - From: Alvin Alex

Prev by Date: [ GLSA 200404-21 ] Multiple Vulnerabilities in Samba
Next by Date: MDKSA-2004:040 - Updated libpng packages fix vulnerability
Previous by thread: SquirrelMail Cross Scripting Attacks....
Next by thread: A technical description of the SSL PCT vulnerability (CVE-2003-0719)
Index(es):
- Date
- Thread